Wouldn’t it be nice if an employee leaves the organization, that you can remove only your corporate data from their iPad or iPhone, but yet leave all their personal data alone? It absolutely would, especially if that employee was using the native (built-in) mail app in iOS. Look no further, because Microsoft 365 has the capability to perform a selective wipe on the device and remove corporate data, including data from the native mail app.
So how is this possible?
Intune will remove data that is tied to your Azure Active Directory identity. So, if I am logged into the native mail app on my iPhone with my Azure AD credentials for my Office 365 mailbox, Intune associates that as “corporate data”. If the device is enrolled into Intune Mobile Device Management (MDM) and the selective wipe command is issued (or the user manually performs a selective wipe via the Company Portal App) then the Office 365 data will be removed from the native ail app.
What are the requirements for this to work?
- The iOS device is enrolled into Intune MDM.
- An Intune iOS Device Configuration Profile is configured and assigned to the user or device, that is pushing a mail profile.
- The user is signed into the native mail app using their Azure AD credentials to access their Office 365 Mailbox.
- iOS Enrollment has been properly configured in Intune and a iOS device compliance policy has been configured and assigned.
- User has an Office 365 Exchange Online Mailbox
How do I configure it?
This is really made possible by having a mail profile configured in the Device Configuration Profile in Microsoft Intune. Let’s take a look at how to do that. From within the Intune blade in the Azure Portal, select Device Configuration -> Profiles -> and create a new Profile for iOS platform with a profile type of Email:
Next, click Settings and configure the email profile. See my screenshot below of how I setup my email profile for Office 365 based on my organization’s requirements (note, your configuration parameters may be different). When finished click OK.
Click Save to save the email profile. Next, click Assignments and assign the new profile to All Users, or All Devices, or Selected Groups. For my environment, I am going to assign to a security group that sales and marketing employees belong to. When finished, click Save:
How do I test it?
Using my iPhone test device, I am going to enroll it into Intune MDM using the Company Portal App from the App Store. If you aren’t familiar with this process, see my blog: Intune: MDM Enrollment Experience (complete device management)
Important: Make sure the user or device that is enrolling, is a member of the security group above! Or the Device Configuration Policy was assigned to that user or device!
You may be prompted to enter the password for the Exchange account (Office 365):
After tapping Edit Settings and entering my password, I’m going to launch the native mail app, and notice my email profile is now configured and my mailbox is visible in the app:
Now, we need to perform the selective wipe and only remove the corporate data. This can be performed two ways either from the Azure portal or from the Company Portal App on the iOS device.
Important: Selective Wipe in Intune is referred to as Retire. More information on differences between Wipe and Retire can be found here.
From within Intune I am going to click my iOS device (Megan’s iPod Touch):
Then I will choose Retire and click Yes at the warning:
The Retire request will be submitted and the status will change to Pending:
Wait a few moments for the Retire command to be sent to the device, then on the iOS device launch the native mail app:
The corporate data (Office 365 mailbox) and cached email will be removed, and the app will be returned to the sign in screen:
That’s it! While this is simple to setup, ensure you have met the requirements and that your mail profile in Intune has been properly configured and assigned. Note, if you are looking to perform the selective wipe or Retire on Android – this will require Android Enterprise. More information here.
Do you have a business requirement to block the download of specific files or file types from OneDrive? What about detailed auditing to understand what files are downloaded or viewed? Well, today is your lucky day – because this is all possible with Microsoft security technology and takes minutes to create. I’m going to walk you through how to do this, and in return, make you look like an IT Rockstar to your organization!
Note: There are other methods to restrict those files from being synchronized using the OneDrive desktop client, we won’t cover those today however (but are accessible in the SharePoint Online Admin Portal)
IMPORTANT: Nothing is 100% secure and it’s all about defense in depth. If you want that extra ply in the tinfoil hat, I highly recommend protecting and encrypting those files with Azure Information Protection as that extra layer of protection.
Also, it’s important to note,the method below at the time of this writing is in public preview.
My organization, an engineering firm, designs buildings for their commercial and government clients. These design plans often contain additional documentation that are in the form of a .PDF and sometimes photos in the form of a .JPEG (or .jpg).
These .PDF and .JPEG files are highly confidential and thus we want to make sure they never leave OneDrive in Office 365 and can only be viewed in a web browser. In other words, we need to block the ability for an end-user to download these two file types from OneDrive. So, how do we do this?
Azure Active Directory Conditional Access and Microsoft Cloud App Security Conditional Access App Control to the rescue! These two products are part of Microsoft 365 E5 or EMS E5 or my new favorite: Microsoft 365 E3 + Identity & Threat Protection. The two products that make up this solution are Azure Active Directory and Microsoft Cloud App Security.
Let’s take a look at how to do this!
Step 1: Create a Azure AD Conditional Access Policy
From within the Azure portal -> Azure Active Directory -> Conditional Access -> New Policy I am going to create a new policy. First, give it a name, “OneDrive Block JPEG and PDF”. Next, assign it to specific users or groups of users. For testing purposes I’m assigning to Adele Vance (IMPORANT: Don’t lock yourself out! Careful planning is required when assigning to all users).
Next, add Office 365 SharePoint Online as the application to be applied to:
Under Session, select Use Conditional Access App Control, then click Done.
Next, click Enable policy to enable the policy and click Create.
Step 2: Launch OneDrive (via portal.office.com)
Wait 15 minutes for the new Conditional Access policy to propagate. Next, open a new browsing session (inprivate or on another computer) and logon as the test user that was just assigned to. In my case, I am going to sign in to portal.office.com in an in-private session as Adele. Browse to OneDrive in the Office portal and open a file in the web browser. Sign out of this web browsing session when done.
Step 3: Configure Microsoft Cloud App Security
We now need to configure Microsoft Cloud App Security (CAS) and create the appropriate policies.
To start, validate that OneDrive is a connected application by browsing to http://portal.cloudappsecurity.com and navigating to Investigate -> Connected Apps. Notice OneDrive for Business will be listed and connected: (Yes, you can also connect CAS to G-Suite, Box, and other apps!)
Next, click on Conditional Access App Control apps and OneDrive for Business will also be displayed:
Step 4: Create the Session Policy in Microsoft Cloud App Security
Next, we need to create the policy that will provide the session control when Adele uses OneDrive in the Office 365 Portal. To do this navigate to Control -> Policies, click New Policy and select Session Policy.
Let’s give the policy a name and description:
Next, under Session control type select Control file download (with DLP). Under Activity source and activity filters configure configure them per the screenshot below
Scroll down (leave content inspection blank and don’t check the box) and under Actions select Block. OPTIONAL: Configure user email notification or customize block message. When finished at the bottom of the page click Create.
Step 5: Test the User Experience
Now it’s time to test and validate this is the behavior we want. Open a new web browsing session and login as the test user. In my case, I’m going to login to portal.office365.com using Adele Vance’s account in an in-private browser session.
Once signed in, navigate to OneDrive in the Office 365 Portal. When you click on OneDrive, notice the splash page indicating this site is being monitored!
Also, notice the address of the site. It’s being proxied through CAS.MS indicating this session is being controlled by Cloud App Security:
Click Continue to Microsoft OneDrive for Business
Notice I have two files, a .PDF and a .JPEG in the OneDrive folder:
Hover the cursor over the PDF and click the ellipses, and select Download
Notice, the file download is blocked with a splash message indicating it’s blocked!
Now, I know what you’re wondering, “Matt what’s that file it wants to save?” When I open that file, it’s just a warning:
From here, within the Cloud App Security Portal, I can audit the activity and receive additional details around this attempt:
Additional alerting can be generated, with an email or SMS notification sent. Imagine having CAS send an email to your ticket system so you can be notified of this violation? What about sending to your SIEM? Endless possibilities.
As you can see, with a bit of an open mind and creativity, possibilities to build true security solutions that lead to a real business outcome, is entirely possible. The total time spent creating this solution was 10 minutes. Don’t forget to test (which obviously will add to the 10 minutes) all the scenarios for this. Questions? Let me know in the comments below!
Enjoy and help us make this world more secure! –Matt Soseman
Microsoft Ignite 2018 is right around the corner, September 24 – 28 in Orlando Florida. While there are over 1591 sessions, I wanted to share with you the list of sessions that I will either be attending in-person or watching the on-demand version later when I get home. Please feel free to use this list to help create your personal schedule, or on-demand viewing list later. Also, be sure to follow me on Twitter @SosemanMatt and LinkedIn for updates while at Ignite. Here’s my recommendations from Ignite 2017 Enjoy!
Tip: Every year I spend ~200 hours watching Ignite sessions while running on the treadmill every evening or on an early Saturday morning to ensure I stay up to speed and keep my skills sharp. These sessions are addicting, and fun! They inspire me to go out and learn more, lab up a scenario, and gives me great stories to share with my peers, customers and partners.Click each session to be taken directly to that session’s page on the Microsoft Ignite website.
My Session: BRK3135 – Learn more about security and compliance for Microsoft Teams (Also working the Microsoft Secure Score booth throughout the week, come see me and connect!)
GS006 – Modern teamwork: Transform collaboration and communications with Microsoft 365
BRK3221 – Combat advanced cyber attacks with Microsoft Cloud App Security
BRK2158 – Elevate the security for all your cloud apps and services with the Microsoft CASB – Cloud App Security
You’re in a conference call while at the airport on your iPhone, and the meeting starts to discuss that important PowerPoint slide or document. You say “I’ll have to show you when I get back to my desk”. It would be really nice if you could share it from your iPhone while in the meeting. Well – now you can, with Microsoft Teams!
Teams enables you to share the entire screen of your iOS device when in a Microsoft Teams meeting! Watch the below video to learn more! Enjoy!